I had installed Elastic Search , Kibana running with 5.1.1 version, And I tried to run the Win log beats, where I couldn't get any data, instead throws the error in the logs.
ERR Connecting error publishing events (retrying): Get https://localhost:9200: http: server gave HTTP response to HTTPS client
Winlogbeat YML:
winlogbeat.event_logs:
name: Application
ignore_older: 24h
name: Security
ignore_older: 24h
name: System
ignore_older: 24h
name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
ignore_older: 24h
Out of the box Elasticsearch does not support HTTPS. If you have not explicitly secured it, I would recommend trying to connect using HTTP instead of HTTPS.
logging.to_files: true
logging.files:
path: 'C:\ProgramData\winlogbeat\Logs'
logging.level: info
When I run the .\winlogbeat -e commmad, it started giving the 401-unauthorized error.
X-pack has been added, so it is secured with the credentials, but after providing the Elastic search credentials as well, I still hit the Un-Authorized issue. (2016/12/26 05:48:18.861011 single.go:140: ERR Connecting error publishing events (retrying): 401 Unauthorized)
Would you please let me know the right way to provide the Elastic search credentials on the .yml file. Thanks !
Yep, I provided the Elastic Search Credential on the winlogbeats.yml and successfully able to create the logs and data, Below is the snippet:
PS C:\Program Files\Winlogbeat> .\winlogbeat -e
2016/12/26 06:09:22.928711 beat.go:267: INFO Home path: [C:\Program Files\Winlogbeat] Config path: [C:\Program Files\Win
logbeat] Data path: [C:\Program Files\Winlogbeat\data] Logs path: [C:\Program Files\Winlogbeat\logs]
2016/12/26 06:09:22.929711 beat.go:177: INFO Setup Beat: winlogbeat; Version: 5.1.1
2016/12/26 06:09:22.930711 output.go:167: INFO Loading template enabled. Reading template file: C:\Program Files\Winlogb
eat\winlogbeat.template.json
2016/12/26 06:09:22.928711 logp.go:219: INFO Metrics logging every 30s
2016/12/26 06:09:22.933711 output.go:178: INFO Loading template enabled for Elasticsearch 2.x. Reading template file: C:
\Program Files\Winlogbeat\winlogbeat.template-es2x.json
2016/12/26 06:09:22.935711 client.go:120: INFO Elasticsearch url: http://localhost:9200
2016/12/26 06:09:22.936711 outputs.go:106: INFO Activated elasticsearch as output plugin.
2016/12/26 06:09:22.937711 publish.go:291: INFO Publisher name: AAEINBLR03199L
2016/12/26 06:09:22.944711 async.go:63: INFO Flush Interval set to: 1s
2016/12/26 06:09:22.944711 async.go:64: INFO Max Bulk Size set to: 50
2016/12/26 06:09:22.945711 winlogbeat.go:71: INFO State will be read from and persisted to C:\Program Files\Winlogbeat\d
ata.winlogbeat.yml
2016/12/26 06:09:22.947711 beat.go:207: INFO winlogbeat start running.
2016/12/26 06:09:22.997711 client.go:652: INFO Connected to Elasticsearch version 5.1.1
2016/12/26 06:09:22.998711 output.go:214: INFO Trying to load template for client: http://localhost:9200
2016/12/26 06:09:22.999711 output.go:235: INFO Template already exists and will not be overwritten.
2016/12/26 06:09:23.012711 winlogbeat.go:237: INFO EventLog[Application] Successfully published 2 events
And, Would you please help me in getting this on the Kiabana dashboard ? Thanks so much for your help.
If the initial issue has been resolved, I would recommend that you create a new issue in the appropriate category for getting advice on how to best visualize this in Kibana. I do not have any Windows machine available, so will unfortunately not be able to help.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
